* This edition of the newsletter is presented by Symmetry Systems and SecurityWeek.
Note.
- I’ll be interviewing Coveware chief executive Bill Siegel on the murky world of ransomware negotiations with cybercriminal gangs. Catch the session at the Ransomware Resilience & Recovery Summit on Jan 26th.
Monday blues.
The consumer AV business has been dead and buried for a few years (seriously, all you need is the free Windows Defender!) but we can’t seem to get rid of the leftover stench.
The once-mighty consumer AV brands are now openly scratching around for dollars in the dubious world of cryptocurrency mining (see Norton Crypto and Avira Crypto), turning idle AV engines into coin-miners on behalf of mostly confused consumers.
Instead of innovating to protect users from crypto-jacking malware (this really is a major menace), we now have security vendors dabbling in business models that are at odds with providing protection to end users.
By the way, Radio Shack is also a new crypto-mining company. Don’t even laugh.
Today is Patch Tuesday and the word “wormable” is back in vogue. Update those Windows boxes and remember to reboot those iPhones at least once a week.
Cheers,
_ryan
On to the newsletter…
Sponsored: Symmetry DataGuard
Using Symmetry DataGuard, cloud-security teams tighten IAM policies around data, incident response teams know precisely what data objects are involved in a breach, and governance teams audit every access across every data store. Schedule a demo.
A new podcast for your earholes.
Catch my latest interview with Justin Campbell, head of the Microsoft Offensive Research and Security Engineering (MORSE) team. We chat about his team’s discovery of an in-the-wild zero-day being exploited by Chinese APT, the never-ending stream of memory safety vulnerabilities haunting the industry, the evolving ‘shift-left’ developer mindset and Redmond’s ongoing work to reduce attack surfaces. Listen here.
Don’t miss recent conversations with Costin Raiu on the mercenary hacker-for-hire industry and Corellium’s Amanda Gorton on raising a $25 million funding round for virtualization technology.
Security response priorities.
- The U.S. government’s CISA has added 15 known exploited vulnerabilities to its must-patch catalog. They include critical bugs in code from VMWare, Google, Microsoft, Oracle, Fortinet and Palo Alto.
- Microsoft has spotted a ransomware gang out of China hitting VMWare Horizon servers with Log4j exploits.
- Redmond is documenting its discovery of an already-patched macOS security defect that lets malicious hackers bypass Apple’s Transparency, Consent, and Control (TCC) technology.
- The folks at ZDI do the best work breaking down Microsoft’s Patch Tuesday mega drops.
- Adobe’s run on the patch treadmill comes with some pretty serious Adobe Reader fixes.
Apache decries open-source leechers.
Shout-out to the Apache Software Foundation (ASF) volunteers for calling a spade a spade. In a position paper published ahead of a White House meeting tomorrow, the open-source group called out companies that leech on the open-source ecosystem.
Quotable snippets from the world’s largest open-source non-profit:
“Community is defined by those who show up and do the work. Companies that build open source into their products rarely participate in their continued maintenance.”
“Only a tiny percentage of downstream companies (reusing the same code within their own products) choose to participate [in ASF security projects].”
“Help fix bugs. Conduct security audits and feed back the results. Cash, while welcome and useful, isn’t sufficient. We eagerly welcome audits and fixes from any source.”
”Security directives MUST avoid placing additional unfunded burdens on the few maintainers who are already doing the work.”
This is one of computing’s big shame and this is what happens when open-source developers start to feel abused by profitable companies.
Must-read research.
- Patrick Wardle’s annual look at malware in Apple’s macOS ecosystem (printable PDF) is comprehensive proof of you-know-what.
- The all-volunteer Apache Software Foundation (ASF) processed 11,500 security-related emails last year. After a ton of triaging, those emails produced 183 CVEs.
- Researchers at Claroty and Snyk document URL parsing defects that cause major security problems.
- NCC Group looks closely at FPGAs and the notion of security through obscurity.
- Hacker Bill Demirkapi provides a deep technical analysis of a Microsoft Office remote code execution exploit.
Essays.
- Celebrated cryptographer Moxie Marlinspike digs into Web3, NFTs and all the crypto things the kids are talking about. He isn’t impressed. Separately, Moxie is giving up the CEO chair at Signal.
- Selena Larson argues that changing the calculus on defense remains the most important way to prevent attacks, even if it is not as attention-grabbing as offensive efforts.
- Jason Bartlett looks at the North Korean cybercrime ecosystem and find some ugly truths.
- Gigamon’s Joe Slowik debunks some myths around supply chain intrusions.
The VC bubble.
- Crunchbase data shows cybersecurity venture funding surpassed $20 billion in 2021. To help put the quarterly numbers in perspective, keep in mind 2020 saw $8.9 billion invested in cybersecurity globally.
- Israeli cybersecurity startups in 2021 raised a stunning $8.84 billion, more than triple the amount in 2020 ($2.75 billion). Investments last year were distributed across 135 rounds, up from 109 in 2020, with 15 startups raising more than one funding round last year.
- The average seed round increased by 35 percent to $7 million, up from $5.2 million in 2021.
Tangentially.
- This is a really interesting story on how a major hotel chain converted Windows PCs into Chrome OS-powered machines to recover from a ransomware attack.
P.S. Full podcast episodes are available on the SecurityConversations.com home page, and on all major platforms. Subscribe directly: Apple/iPhone, Google/Android, Spotify and Amazon/Audible.